Integrations/Gemini

Gemini Agent Guardrails with Veto

Add runtime authorization to Google Gemini agents with function calling. Block dangerous actions, enforce policies, and require human approval for sensitive operations.

Start free Read the docs

Gemini agent guardrails and authorization

Google Gemini authorization controls what actions your Gemini-powered agents can take through function calling. Veto intercepts function declarations before they reach Gemini, enforcing policies on tool execution without modifying your agent's logic. Works with Gemini 3.1 Pro, Gemini 3.1 Flash, and all models that support function calling.

Why Gemini agents need authorization

Gemini's function calling lets agents interact with external systems: send emails, modify databases, delete files, make payments. The model decides which functions to call and with what arguments. That decision is probabilistic. Gemini's built-in safety settings handle content moderation (harassment, hate speech, dangerous content) but they do not control which functions execute or validate function arguments.

A Gemini agent told to "clean up old files" might call delete_file on production data. An agent processing customer requests might call send_email to external addresses with sensitive data. These are not safety filter problems. They are authorization problems. Veto solves them at the function call boundary.

Quick start

Wrap your Gemini function declarations with Veto's protect() function. The agent code stays the same. Authorization happens at the tool boundary.

Gemini + Veto quick starttypescript

import { GoogleGenerativeAI } from '@google/generative-ai';
import { protect } from 'veto-sdk';

const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY!);
const model = genAI.getGenerativeModel({ model: 'gemini-3.1-flash' });

const rawTools = [
  {
    functionDeclarations: [
      {
        name: 'send_email',
        description: 'Send an email to a recipient',
        parameters: {
          type: 'object',
          properties: {
            to: { type: 'string', description: 'Recipient email' },
            subject: { type: 'string' },
            body: { type: 'string' },
          },
          required: ['to', 'subject', 'body'],
        },
      },
      {
        name: 'delete_file',
        description: 'Delete a file from the system',
        parameters: {
          type: 'object',
          properties: {
            path: { type: 'string', description: 'File path to delete' },
          },
          required: ['path'],
        },
      },
    ],
  },
];

// One line. Authorization enforced before Gemini sees the tools.
const tools = await protect(rawTools);

const result = await model.generateContent({
  contents: [{ role: 'user', parts: [{ text: 'Clean up temp files' }] }],
  tools,
});

Function call interception

For more control, intercept Gemini's function call responses individually. This pattern works when you need to handle approval workflows or return custom error messages to the model.

Intercept individual function callstypescript

import { Veto } from 'veto-sdk';

const veto = await Veto.init({ apiKey: process.env.VETO_API_KEY });

async function handleGeminiFunctionCall(
  functionCall: { name: string; args: Record<string, unknown> }
) {
  // Validate the function call before executing
  const decision = await veto.guard(functionCall.name, functionCall.args);

  if (decision.decision === 'deny') {
    return {
      functionResponse: {
        name: functionCall.name,
        response: { error: decision.reason },
      },
    };
  }

  if (decision.decision === 'require_approval') {
    return {
      functionResponse: {
        name: functionCall.name,
        response: { error: 'This action requires human approval. Request ID: ' + decision.approvalId },
      },
    };
  }

  // Execute the function
  const result = await executeTool(functionCall.name, functionCall.args);
  return {
    functionResponse: {
      name: functionCall.name,
      response: result,
    },
  };
}

Policy rules

Define authorization policies in YAML. Rules evaluate tool calls against conditions like argument values, context, and rate limits.

veto/rules/gemini-safety.yamlyaml

version: "1.0"
name: Gemini agent safety rules

rules:
  - id: block-external-emails
    action: block
    tools: [send_email]
    conditions:
      - field: arguments.to
        operator: not_matches
        value: "@company\.com$"
    message: "External emails require approval"

  - id: require-approval-deletes
    action: require_approval
    tools: [delete_file]
    conditions:
      - field: arguments.path
        operator: not_matches
        value: "^/tmp/"
    message: "Deleting non-temp files requires human approval"

  - id: rate-limit-emails
    action: block
    tools: [send_email]
    conditions:
      - field: context.hourly_count
        operator: greater_than
        value: 10
    message: "Email rate limit exceeded (10/hour)"

Multi-modal safety

Gemini processes text, images, audio, and video. Regardless of what input triggers a function call, Veto evaluates the call against your policies. An image containing a prompt injection cannot bypass your authorization rules because Veto operates at the function call layer, not the content layer.

Multi-modal input with guarded toolstypescript

import { protect } from 'veto-sdk';

// Gemini processes images, audio, and video.
// Veto controls what functions can execute regardless of input modality.

const tools = await protect([
  {
    functionDeclarations: [
      {
        name: 'analyze_document',
        description: 'Extract and process document contents',
        parameters: {
          type: 'object',
          properties: {
            action: { type: 'string', enum: ['read', 'summarize', 'export'] },
            format: { type: 'string', enum: ['text', 'json', 'csv'] },
          },
          required: ['action'],
        },
      },
    ],
  },
]);

// Upload an image and let Gemini analyze it - with guardrails
const result = await model.generateContent([
  { inlineData: { mimeType: 'image/png', data: base64Image } },
  { text: 'Extract all PII from this document and export as CSV' },
  // Veto can block the 'export' action while allowing 'read' and 'summarize'
]);

Gemini-specific safety patterns

Function-level authorization

Control which function declarations Gemini can invoke. Block destructive operations in production, allow them in development environments. Policies apply per-environment without code changes.

Argument validation

Validate function arguments against policies before execution. Block emails to external domains, restrict file paths to safe directories, enforce amount limits on financial operations.

Grounding controls

When Gemini uses Google Search grounding, function call arguments may contain external data. Veto policies inspect these arguments and block or approve based on content patterns and data sensitivity.

Rate limiting

Prevent runaway agents from executing too many function calls. Set per-tool, per-user, or global rate limits. Critical for cost control when Gemini agents run in production loops.

How Veto protects Gemini agents

Wrap function declarations

Pass your Gemini function declarations through protect(). Veto registers them with the policy engine and returns compatible declarations.

Agent calls a function

Gemini decides to call a function based on user input. The function call is intercepted before execution.

Policy evaluation

Veto evaluates the function name and arguments against your policies. Deterministic rules, no LLM involved in the authorization decision.

Enforcement

Only authorized function calls execute. Blocked calls return a configurable response to Gemini. All decisions logged for audit.

Frequently asked questions

How do Gemini agent guardrails differ from Gemini's safety settings?

Gemini's built-in safety settings filter content categories (harassment, hate speech, dangerous content). Veto controls function execution: which functions can run, with what arguments, and under what conditions. They complement each other. Use Gemini safety for content, Veto for actions.

Does Veto work with Gemini 3.1 Pro and Gemini 3.1 Flash?

Yes. Veto operates at the function declaration level, which is consistent across all Gemini models that support function calling, including Gemini 3.1 Pro and Gemini 3.1 Flash. No model-specific configuration required.

Can prompt injection through images bypass Veto policies?

No. Veto evaluates function calls after Gemini decides what to call. Even if an image contains a prompt injection that convinces Gemini to call a dangerous function, Veto's policies are deterministic and independent of the model's reasoning. The function call is blocked regardless of why Gemini tried to make it.

How does Veto handle Gemini's parallel function calling?

Gemini can return multiple function calls in a single response. Veto evaluates each call independently against your policies. Some calls may be allowed while others are blocked. The agent receives the mixed results and can continue accordingly.

Related integrations

Claude

Anthropic Claude SDK integration

OpenAI

OpenAI GPT agents with authorization

Amazon Bedrock

AWS Bedrock agent runtime authorization

View all integrations

Secure your Gemini agents in minutes.

Start free View on GitHub